“Trust, but verify.”
— President Ronald Reagan
Trust is getting a lot of attention these days. Of course, it’s always been important in the United States. We declare trust in God on our currency, Scouts have to be trustworthy, and we even seem to trust the algorithm behind cryptocurrencies. On the other hand, we worry about what feels like a decline, if not complete rupture, in social trust. For businesses that depend on controlling the confidentiality of data shared with employees and outsiders, these are perilous times. Our most important assets are stored and transmitted through digital systems that are imperfect; and that’s without accounting for the frailties of the people with access to those assets.
Information security has come a long way since I started my career in the 1970s. There were no networks to worry about then, no powerful computers in the pockets of employees. Data was transmitted on paper. You just needed to watch the front door and photocopier. Employees with their badges as markers of trust could go pretty much anywhere they wanted within the facility.
The internet was still a pipe dream when the United States and the Soviet Union began negotiating to reduce their frightening stockpiles of intermediate-range nuclear weapons. One thing we remember from those negotiations is the quote attributed to President Reagan: “Trust, but verify.” A very wise and relevant point; but he didn’t make it up. The phrase is translated from a rhyming Russian proverb – Doveryai, no proveryai – that basically means to validate everything even with a trusted person. It turns out that one of Reagan’s advisors told him that the Russians love to speak in aphorisms, and this was his favorite from a list she had provided him to memorize. And he used it often; by the time the deal was struck, Gorbachev complained that Reagan said it in every one of their meetings.
At that time, and continuing until recently, trust has been at the forefront (along with verification) of enterprise secrecy controls. We could usually take comfort in the fact that we knew who our colleagues were in the building. (Remember when we all worked together in an office?) That’s also where the data was, sitting in secure filing cabinets in locked offices. Then came the corporate digital network, and now, increasingly, our IT systems are in the cloud and our colleagues (often from their homes) are connected with the company’s data through their personal computers, tablets and smartphones. Meanwhile, the bad guys are constantly attacking our systems, looking for security vulnerabilities that will get them inside.
But we do have to get the work done, frequently accessing sensitive data to do it. So, who do we trust? In the classic digital environment, identity is established with a password: get it right and then you’ve got broad access to wander through the system (or some major portion of it). That kind of “implicit trust zone” can work pretty well in a small company where people know each other. It is less likely to suit a business with thousands of employees and many external relationships where sensitive information has to be shared.
In most enterprises, security is managed by distributing more or less permanent status to individual users who are given access based on their then-current job description. If the system is working properly, scope of access is adjusted when a person moves to a different scope of responsibilities. But even when those changes are perfectly accounted for, the individual is still given admission to a very broad array of data, much more than might be necessary for any specific task.
That approach may be reasonable when you have very limited entry points into the system and where job requirements are fairly static. But increasingly, the company’s assets are in the cloud and its networks are accessible through other points, a lot of them remote. In addition, many people work on projects that change over time, so their scope of responsibility is not static.
Enter “Zero Trust,” where nobody gets a hall pass, and every inquiry is by default treated as if it might be a breach. The idea is to bring access controls down to the lowest possible level of detail, so that identity is established in much the same way that we did decades ago: we know who the user is because the system, using AI and machine learning based on the user’s profile and past behavior, recognizes them with a high level of confidence. And, in the same way, it “knows” what resources in the system they should or shouldn’t need. It then provides just enough access to enable the task at hand. In effect, this automates risk-based decisions in ways that can be more efficient.
You might be excused for thinking at this point: oh no, I’ve just gotten over the annoyance of dealing with two-factor authentication; the last thing I want to deal with is heavier security! Won’t this interfere with information flows and frustrate legitimate actors from getting the data they need to do their jobs? We understand, of course. But the proponents of ZTNA (zero-trust network architecture) assure us that it’s actually going to be easier to deal with. Technology deployed to reliably identify you will in fact be so seamless that you will be able to get rid of the dreaded VPN connection!
What? How is that possible, you might say. Well, look at it this way: the VPN is a door with a lock consisting of certain credentials, and hackers go for those credentials just like they do other data – and that’s because the credentials reflect “implicit trust.” When the door no longer is opened by a key but instead by an intelligent, well-informed analysis of who is there and why they want to get in, the hacker’s job just got enormously more difficult. People sitting at their desk can sometimes be fooled by spearphishing emails based on data about them scraped from social media; but you’ll almost never be able to fool the AI machine.
Indeed, technology is what’s enabling this much more sophisticated approach to IT security. It’s increasingly possible to adjust access controls dynamically to account for changes in the risk environment. The security professionals call this “adaptive access.”
Feeling better now? “Zero Trust” is not some dystopian nightmare in which we have lost all our humanity. In fact, it may make our jobs easier by automating detection and response processes that now involve humans with all their capacity for error and misjudgment. Or at least that’s what everyone seems to assume.
In any event, ZTNA is coming to a large company near you. We can be fairly sure of this because the National Institute of Standards and Technology, part of the Commerce Department and the source of the most widely adopted standard for cybersecurity management, has recently issued the NIST 800-207 Zero Trust guidelines.
For many smaller companies, this is likely to be a long-term issue, as the risk environment may not indicate this sort of access control, especially within groups that value a great deal of fluid information flow and collaboration. But for larger, more complex organizations with multiple business units and product lines, the zero-trust approach may be the right direction.
As with most information security strategies, this one begins with identifying the company’s “resources”—that is, your data and where it’s located. Then you examine all of the “identities” that may need access. That part of the process is likely to be more difficult with mature organizations, because of the proliferation of user accounts. After that, you determine the circumstances under which the “identities” need to access each resource, and at that instance of interaction define levels of confidence (i.e., establish algorithms) that will permit different levels of access.
For most companies, this doesn’t mean replacing your existing framework, because most of the principles are implemented in existing systems, especially identity verification. Zero trust just takes it to a new level with a judgment about confidence in the identification, by looking at the circumstances of the access request and the device it’s coming from.
The new phrase is “never trust anyone, and verify constantly.” But remember, these are automated systems to protect sensitive data; they are not comprehensive controls on human interaction within the enterprise. Indeed, inside the corporate community, we need to foster the kind of collegiality and honest communication that support empathy, collaboration, creativity and . . . . trust.
Secretary of State George Shultz, who accompanied Reagan during his negotiations with Gorbachev, published some good advice just before his passing at age 100: “When we are at our best, we trust in each other . . . . With that bond, [we] can do big, hard things together, changing the world for the better.”